Towards a Cyber Safe Critical Infrastructure: Answering the 3 questions*

What are the main challenges in implementing cyber security policies?

There are several challenges in developing and most importantly, in implementing cyber security policies. However most successful efforts will be judged according to the way the following 3 important questions are answered:

1. What to protect?

2. From what cyber threats?

3. How, considering that resources are scarce and that you can’t fully protect everything, to protect chosen critical assets in the most cost-effective way?

This may seem simple to do at first reading. However the level of complexity and time required for arriving at a consensus on answers becomes quickly evident when you sit down with a group of professionals tasked with developing a cybersecurity policy or strategy. In terms of deciding what to protect if you are in Government you tend to say that Government information systems and data need to be protected. However what about the electric grid which is a part of national critical infrastructure? If the electricity goes out as a result of a cyber-attack then so also goes your Government information systems that need electricity to operate. Not to mention the ill effect on your economy and well-being of society caused by a prolonged failure in the power supply. You will never have all the resources needed to protect everything so time and consideration is required in determining what is truly critical and deserves resources. Remember resources have to be found for other things like health care and schools so spending time on this first question if successful will provide convincing arguments to counter the criticisms of opponents and save time in getting a policy approved. One should also avoid the temptation to follow what another country is doing. Their priorities may be different from yours and by blindly following or copying what is being done elsewhere risks leaving something that should be a priority for your country out of the policy.

In answering the second question [from what threats?] it is a mistake to think that the only threats out there in cyberspace are coming from hackers, socially motivated hacktivists, and cyber criminals. States and the “cyber samurai” working for them or getting state support are also a source of threats especially to critical infrastructure. STUXNET was a targeted cyber weapon developed by a state to attack equipment belonging to the critical infrastructure of another state. It was a highly sophisticated cyber-attack on the systems used to monitor and control a critical industrial process. The apparent success of this attack which brought no punishment to the attacker and executed at relatively little cost has attracted a lot of attention. Cyber-attacks offer a lot of advantages to the attacker. Courses on attacking such systems are now available at Black Hat conferences. Hackers are even adapting sophisticated search engines such as SHODAN to seek out industrial control system equipment connected to the Internet. In recent years targeted cyber attacks on critical infrastructure have multiplied. Many of them upon analysis reveal signs of state involvement ranging from the cyber intrusion of Belgian telecommunications company Belgacom, to the “Sandworm”, “Regin”, and “Cleaver” malwares whose activities have targeted critical infrastructures of the energy and transportation sectors. In seeking to protect critical infrastructure one has to keep in mind that this is a different operating environment from the traditional information system or web site management systems. This environment is characterized real-time control and safety systems designed to safely and reliably provide some product or service such as electricity. These systems were designed with a different set of assumptions. One of them was that they would not be connected to the Internet and the other was that no one would be trying to intentionally attack them. It may be hard to break into such systems but once “inside” there are very few limits on the amount of “mischief” can be done.

The answer to the third question [How?] concerns the development of “national cyber capacity”. This concerns the passage of laws, imposing regulations and standards, and creating institutions such as Computer Emergency Response Teams (CERT’s) to insure high levels of resilience and response to cyber-attacks and incidents. There are two tracks that can be taken. One is to create the institutions first. For example the creation of a National Computer Emergency Response Team (CERT) and “cyber police” unit in the police or department tasked with dealing with organized crime. However when these new units start to operate they may not have the necessary powers to do their job. The national CERT may not have the powers to work with telecommunication service providers in the country. What if the cyber incident is linked to the activities of a state? Is this to be given to the “cyber police” to handle or do you need to call in the Ministry of Foreign Affairs? The question of “who is the boss” may also come up. To deal with these issues in advance it may be wise to come up with a National Cybersecurity Law which establishes the institutions and defines their roles and responsibilities. This may be a good path to follow but it is very dependent on who is writing the law. If they are legal experts they may lack enough technical knowledge to write a good law that deals with the technical issues of “cyberspace”. Technical people can’t write the law either so you need to have a balance of all relevant parties in preparing the law. “Cyber lawmakers” or “cyber politicians” are needed together with the technical community from the private and academic sectors to come up with a law that will be effective. In Lithuania we tried both ways (perhaps the hardest way) starting with a bottom up approach of creating institutions before a law. Finally we have a cybersecurity law ready to be passed by our Seimas (Parliament) which may be the best solution in the end for dealing with the dynamic threats in cyberspace today.

What can be done for the states/companies to lower cyber risks?

The first thing that can be done is to be more aware of the importance of answering the 3 questions discussed above. A process must take place that determines what critical assets and processes need to be protected and insuring that management is behind the implementation of necessary measures to reduce the risk from today‘s cyber threats. To successfully achieve these goals cyber security capacity (system of laws, institutions, regulations and standards) needs to be developed. Companies need to become more aware of the best practices and standards for securing industrial control systems that are available. They should not just view them as voluntary but should see them as mandatory practices that need to be implemented. Yes it will mean that extra time and effort will be required to convince management and stock holders that spending money on security is justified. Government can help by pointing out these risks to companies and of their accountability (liability) for damage caused by a cyber-incident that could have been prevented.

The next challenge is related to the first one mentioned above, namely lack of awareness of the complexity of dealing with threats emanating from cyberspace. In terms of insuring the cybersecurity of critical infrastructure Information Technology (IT) thinking dominates. It is too frequently assumed that the same IT technology sitting on one’s desk is the same as the IT used to monitor and control critical real-time industrial process taking place in our gas pipelines, electric grids, transportation (seaport, shipping, train, aircraft, highway tunnel) and manufacturing systems. No they are not the same. They are designed according to different security and engineering criteria. One of which is that these control systems were assumed to be isolated from the Internet, no one thought that they would be subject to cyber incidents and cyber-attacks. IT imposed solutions by IT professionals who poorly understand industrial controls systems (SCADA, DCS, PLC’s) can have surprising and potentially dangerous results. In 2008 for example the Hatch nuclear reactor in the United States was made to go into emergency shutdown for two days because of a problem that occurred from executing a software upgrade on a single computer! The term “insecurity by design” has been used to describe the effect of increasing use of IT in formerly closed industrial environments on the cyber safety of control systems. There is a challenge to create a bridge between domineering IT cybersecurity professionals with MS-Windows, CISCO, and LINUX diplomas and with Industrial Control System professionals with engineering diplomas. IT cybersecurity needs to be part of the ICS design phase right from the beginning. Not the way that it is today where IT cybersecurity tends to be grafted on after a complex industrial control system has been designed and put into operation.

On the level of states and reducing risks to national critical infrastructure an international effort led by cyber knowledgeable politicians and diplomats together with professionals from the technology community need to discuss confidence building measures for states to follow in cyberspace. Rule nr. 1 is that states should agree to restrain themselves in peacetime from directing malicious cyber activities at the critical infrastructures of other states. Rule nr. 2 is that states should take responsibility to insure that their cyberspace is not used as a base to execute cyber-attacks or allow one to transit through their cyberspace jurisdiction. To comply with Rule 2 States have to develop their national cyber capacity which I discussed earlier. Rule nr. 3 is for states to support the creation of an institution to monitor and inform about violations of rule 1 and 2. The International Convention on the Use of Chemical Weapons and the monitoring institution created as a part of the convention can serve as a possible model. The institution is called the Organization for the Prohibition of Chemical Weapons (OPCW). It has worked in practice and has recently won the Noble Peace Prize. Maybe applying this model(1) in establishing an international order for prohibiting the use of chemical weapons can be applied to making cyberspace a safe place for our people, economies and national security.

Note: Evaluations and ideas presented in this interview exclusively belong to the author and can never be considered an official position of any institution he is associated with.

* This was originally published in 2014 for a security research institute. Unfortunately this institute did not survive the recent tumults and the institute’s website together with my article were taken off line. In Scadasec there was some discussion regarding the determination of security priorities. For this reason I have reproduced my article in this blog as the content still bears relevance to the challenges of securing our critical systems today.

1. There are other models to consider. The NATO Cybersecurity Center of Excellence has published an interesting volume called Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy . For a short review read Cyber Security in an International Context, perConcordiam Vol. 5. Nr. 2 p. 64-65.

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.